HCL ZIE for Web Information Exposure Vulnerability Allowing Session Hijacking
Vulnerability
A vulnerability allowing information exposure exists in HCL ZIE for Web version 16.0. Sensitive session tokens and authentication identifiers are transmitted through URL query parameters. This exposure can be exploited by an attacker who accesses network logs or interacts with a site linked from the application, potentially leading to session hijacking.
Impact
Exposing session tokens in URLs increases the risk of session hijacking, as these tokens can be captured by an attacker through various means, such as network logs or the Referer header when off-site links are followed.
Remediation
Users can upgrade to HCL ZIE for Web version 16.0.1, which addresses this vulnerability. Additionally, implementing CSRF token validation on critical requests, configuring session timeouts and revalidation, and applying session fixation and reuse prevention measures can help mitigate the risks associated with exposing session identifiers in URLs.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.